There's a truism that I like to share with as many people as possible: if you don't want other people to see something, then don't post it online. It is, you might think, a pretty simple concept to grasp. After all, you wouldn't stroll into a bar with a megaphone and yell "I'm not wearing underwear" if you wanted to keep that secret would you? But would you write that fact down on small pieces of paper and slip them unnoticed into the pockets of people in that bar if you wanted to reveal all (please excuse the unfortunate choice of phrase) without revealing your identity? In a nutshell, that's what apps such as Secret promise to do; but such a promise of anonymity is always going to be hard to deliver.
Secret is one of an increasingly popular application genre known as 'anonymous sharing' which lets you send 'secrets' to your circle of friends without them actually knowing it was you. At least, that's the idea. Seattle-based security outfit Rhino Security Labs quickly shot holes in it with a remarkably simple work around. Secret relies upon 'crowd anonymity' for want of a better description, you join up and let the app interrogate your contacts book and Facebook friends to find others using the app to build your secret social circle. To see any of their posts, you need to have seven or more friends but you won't know which of your friends these are because the app doesn't tell you. Or at least that's how it is meant to work. I've always thought it was flawed anyway, as I would know that it was one of my contacts who posted it; so while I may not know exactly who, the secret is not exactly totally anonymous either. Quite often it would be easy enough to work out, if you know the people in your social circle well enough. But that's besides the point, what Rhino did was use a whole bunch of fake accounts to reveal the truth.
At the time of the research, although Secret may well change that now the details of this hack have been responsibly disclosed to them via their own bug hunting bounty scheme, there was no email or telephone verification block on creating accounts. So creating as many as you wanted was no problem at all. Rhino used a script to create 50 accounts in rapid succession, and added seven of them (numbers and emails) to a blank contacts list on his phone. The only other contact to be added to that address book would be the mark, and all that was needed was the email address. By signing up for a new Secret account and syncing that contact list, Rhino could follow a total of eight accounts but seven of them were controlled by them. Any 'secret' posted by a friend could, in fact, only be authored by the mark.
Now I'm the first to admit that real-world scenarios of how this would impact upon anyone, or could be used to any real effect, are about as hard to conjure up as an image of an honest politician. More concerning is that people use these kind of applications with an assumption of anonymity which, frankly, is always going to be flawed. Indeed, when WIRED magazine asked Secret CEO David Byttow about the bounty scheme which had been running for six months, he confirmed that the company had closed 42 security holes identified by some 38 researchers. That kind of re-asserts my original statement that if you really want to keep something secret then don't tell anyone about it, and certainly don't post it on the Internet or around some smartphone sharing app.
If you want more proof of this, anyone recall the fuss surrounding Snapchat the anonymous image sharing app earlier this year? As reported on DaniWeb in January, hackers managed to access the database of Snapchat users names and email addresses. If that weren't serious enough, claims that all photos (often flirtatious or sexual in nature) self-destruct from the server after 10 seconds were over-played. Sure, the original may well be unavailable after that initial flash (pun intended) but it's easy enough for a recipient to take a screenshot and then have a copy forever.
